tcpslice fails on large files
Setup
I have a network trace in tcpdump format that is around 30GB in size. tcpslice is version 1-1a3.
Symptoms
When I tried to slice out a portion of the trace which started around midway through the trace, tcpslice failed with the following error: fseek() failed in read_up_to()
Background
fseek() and many other standard file I/O functions do not support files larger than 2GB. fseeko() and friends should be used instead.
Resolution
After running ./configure in the source directory, edit Makefile and add the following definitions to the line that starts with DEFS =: -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE.
The 1-1a3 version would not compile for me on Linux. It failed many errors like these:
tcpslice.c:230: error: storage size of `t' isn't known
tcpslice.c:274: error: dereferencing pointer to incomplete type
To solve that problem, download the latest daily snapshot of the tcpslice source from tcpdump.org's daily snapshots, and work with that source instead of the 1-1a3 version.
Update
Caleb Phillips points out that the tcpslice daily snapshots no longer compile easily on Linux. He says he's had better luck using version 1.2a2 with the Ubuntu patches like this:
wget http://archive.ubuntu.com/ubuntu/pool/universe/t/tcpslice/tcpslice_1.2a2.orig.tar.gz
tar xvzf tcpslice_1.2a2.orig.tar.gz
cd tcpslice_1.2a2
wget http://archive.ubuntu.com/ubuntu/pool/universe/t/tcpslice/tcpslice_1.2a2-4.diff.gz
gzip -d tcpslice_1.2a2-4.diff.gz
patch < tcpslice_1.2a2-4.diff
Thanks, Caleb! (2006-12-19)